Foundation of Cryptography (0368-4162-01), Lecture 5 Interactive - - PowerPoint PPT Presentation

Foundation of Cryptography (0368-4162-01), Lecture 5

Interactive Proofs and Zero Knowledge Iftach Haitner, Tel Aviv University December 4, 2011

IP for GNI

Part I Interactive Proofs

IP for GNI

Interactive Vs. Interactive Proofs Definition 1 (NP) L ∈ NP iff ∃ℓ ∈ poly and poly-time algorithm V such that: ∀x ∈ L ∩ {0, 1}n there exists w ∈ {0, 1}ℓ(n) s.t. V(x, w) = 1 V(x, ·) = 0 for every x / ∈ L

IP for GNI

Interactive Vs. Interactive Proofs Definition 1 (NP) L ∈ NP iff ∃ℓ ∈ poly and poly-time algorithm V such that: ∀x ∈ L ∩ {0, 1}n there exists w ∈ {0, 1}ℓ(n) s.t. V(x, w) = 1 V(x, ·) = 0 for every x / ∈ L Non-interactive proof

IP for GNI

Interactive Vs. Interactive Proofs Definition 1 (NP) L ∈ NP iff ∃ℓ ∈ poly and poly-time algorithm V such that: ∀x ∈ L ∩ {0, 1}n there exists w ∈ {0, 1}ℓ(n) s.t. V(x, w) = 1 V(x, ·) = 0 for every x / ∈ L Non-interactive proof Interactive proofs?

IP for GNI

Interactive Vs. Interactive Proofs Definition 1 (NP) L ∈ NP iff ∃ℓ ∈ poly and poly-time algorithm V such that: ∀x ∈ L ∩ {0, 1}n there exists w ∈ {0, 1}ℓ(n) s.t. V(x, w) = 1 V(x, ·) = 0 for every x / ∈ L Non-interactive proof Interactive proofs?

IP for GNI

Interactive protocols Interactive algorithm

IP for GNI

Interactive protocols Interactive algorithm Protocol π = (A, B)

IP for GNI

Interactive protocols Interactive algorithm Protocol π = (A, B) RV describing the parties joint output A(iA), B(iB))(i)

IP for GNI

Interactive protocols Interactive algorithm Protocol π = (A, B) RV describing the parties joint output A(iA), B(iB))(i) m-round algorithm, m-round protocol

IP for GNI

Interactive Proofs Definition 2 (Interactive Proof (IP)) A protocol (P, V) is an interactive proof for L, if V is PPT and the following hold: Completeness ∀x ∈ L, Pr[(P, V)(x) = Accept] ≥ 2/3 Soundness ∀x / ∈ L, and any algorithm P∗ Pr[(P∗, V)(x) = Accept] ≤ 1/3

IP for GNI

Interactive Proofs Definition 2 (Interactive Proof (IP)) A protocol (P, V) is an interactive proof for L, if V is PPT and the following hold: Completeness ∀x ∈ L, Pr[(P, V)(x) = Accept] ≥ 2/3 Soundness ∀x / ∈ L, and any algorithm P∗ Pr[(P∗, V)(x) = Accept] ≤ 1/3 IP = PSPACE

IP for GNI

Interactive Proofs Definition 2 (Interactive Proof (IP)) A protocol (P, V) is an interactive proof for L, if V is PPT and the following hold: Completeness ∀x ∈ L, Pr[(P, V)(x) = Accept] ≥ 2/3 Soundness ∀x / ∈ L, and any algorithm P∗ Pr[(P∗, V)(x) = Accept] ≤ 1/3 IP = PSPACE We typically consider (and achieve) perfect completeness

IP for GNI

Interactive Proofs Definition 2 (Interactive Proof (IP)) A protocol (P, V) is an interactive proof for L, if V is PPT and the following hold: Completeness ∀x ∈ L, Pr[(P, V)(x) = Accept] ≥ 2/3 Soundness ∀x / ∈ L, and any algorithm P∗ Pr[(P∗, V)(x) = Accept] ≤ 1/3 IP = PSPACE We typically consider (and achieve) perfect completeness Negligible “soundness error" achieved via repetition.

IP for GNI

Interactive Proofs Definition 2 (Interactive Proof (IP)) A protocol (P, V) is an interactive proof for L, if V is PPT and the following hold: Completeness ∀x ∈ L, Pr[(P, V)(x) = Accept] ≥ 2/3 Soundness ∀x / ∈ L, and any algorithm P∗ Pr[(P∗, V)(x) = Accept] ≤ 1/3 IP = PSPACE We typically consider (and achieve) perfect completeness Negligible “soundness error" achieved via repetition. soundness only against PPT : computationally sound proofs/interactive arguments.

IP for GNI

Interactive Proofs Definition 2 (Interactive Proof (IP)) A protocol (P, V) is an interactive proof for L, if V is PPT and the following hold: Completeness ∀x ∈ L, Pr[(P, V)(x) = Accept] ≥ 2/3 Soundness ∀x / ∈ L, and any algorithm P∗ Pr[(P∗, V)(x) = Accept] ≤ 1/3 IP = PSPACE We typically consider (and achieve) perfect completeness Negligible “soundness error" achieved via repetition. soundness only against PPT : computationally sound proofs/interactive arguments. efficient provers via “auxiliary input"

IP for GNI

Section 1 IP for GNI

IP for GNI

graph isomorphism Πm – the set of all permutations from [m] to [m] Definition 3 (graph isomorphism) Graphs G0 = ([m], E0) and G1 = ([m], E1) are isomorphic, denoted G0 ≡ G1, if ∃π ∈ Πm such that (u, v) ∈ E0 iff (π(u), π(v)) ∈ E1. GI = {(G0, G1): G0 ≡ G1}.

IP for GNI

graph isomorphism Πm – the set of all permutations from [m] to [m] Definition 3 (graph isomorphism) Graphs G0 = ([m], E0) and G1 = ([m], E1) are isomorphic, denoted G0 ≡ G1, if ∃π ∈ Πm such that (u, v) ∈ E0 iff (π(u), π(v)) ∈ E1. GI = {(G0, G1): G0 ≡ G1}. Assume reasonable mapping from graphs to strings

IP for GNI

graph isomorphism Πm – the set of all permutations from [m] to [m] Definition 3 (graph isomorphism) Graphs G0 = ([m], E0) and G1 = ([m], E1) are isomorphic, denoted G0 ≡ G1, if ∃π ∈ Πm such that (u, v) ∈ E0 iff (π(u), π(v)) ∈ E1. GI = {(G0, G1): G0 ≡ G1}. Assume reasonable mapping from graphs to strings GI ∈ NP

IP for GNI

graph isomorphism Πm – the set of all permutations from [m] to [m] Definition 3 (graph isomorphism) Graphs G0 = ([m], E0) and G1 = ([m], E1) are isomorphic, denoted G0 ≡ G1, if ∃π ∈ Πm such that (u, v) ∈ E0 iff (π(u), π(v)) ∈ E1. GI = {(G0, G1): G0 ≡ G1}. Assume reasonable mapping from graphs to strings GI ∈ NP Does GNI = {(G0, G1): G0 ≡ G1} ∈ NP?

IP for GNI

graph isomorphism Πm – the set of all permutations from [m] to [m] Definition 3 (graph isomorphism) Graphs G0 = ([m], E0) and G1 = ([m], E1) are isomorphic, denoted G0 ≡ G1, if ∃π ∈ Πm such that (u, v) ∈ E0 iff (π(u), π(v)) ∈ E1. GI = {(G0, G1): G0 ≡ G1}. Assume reasonable mapping from graphs to strings GI ∈ NP Does GNI = {(G0, G1): G0 ≡ G1} ∈ NP? We will show a simple interactive proof for GNI

IP for GNI

graph isomorphism Πm – the set of all permutations from [m] to [m] Definition 3 (graph isomorphism) Graphs G0 = ([m], E0) and G1 = ([m], E1) are isomorphic, denoted G0 ≡ G1, if ∃π ∈ Πm such that (u, v) ∈ E0 iff (π(u), π(v)) ∈ E1. GI = {(G0, G1): G0 ≡ G1}. Assume reasonable mapping from graphs to strings GI ∈ NP Does GNI = {(G0, G1): G0 ≡ G1} ∈ NP? We will show a simple interactive proof for GNI Idea: Beer tasting...

IP for GNI

IP for GNI Protocol 4 ((P, V)) Common input G0 = ([m], E0), G1 = ([m], E1)

1

V chooses b ← {0, 1} and π ← Πm, and sends π(Eb) = {(π(u), π(v)): (u, v) ∈ Eb} to P

2

P send b′ to V (tries to set b′ = b)

3

V accepts iff b′ = b

IP for GNI

IP for GNI Protocol 4 ((P, V)) Common input G0 = ([m], E0), G1 = ([m], E1)

1

V chooses b ← {0, 1} and π ← Πm, and sends π(Eb) = {(π(u), π(v)): (u, v) ∈ Eb} to P

2

P send b′ to V (tries to set b′ = b)

3

V accepts iff b′ = b Claim 5 The above protocol is IP for GNI, with perfect completeness and soundness error 1

2.

IP for GNI

Proving Claim 5 Graph isomorphism is an equivalence relation (separates the set of all graph pairs into separate subsets)

IP for GNI

Proving Claim 5 Graph isomorphism is an equivalence relation (separates the set of all graph pairs into separate subsets) ([m], π(Ei)) is a random element in [Gi] — the equivalence class of Gi

IP for GNI

Proving Claim 5 Graph isomorphism is an equivalence relation (separates the set of all graph pairs into separate subsets) ([m], π(Ei)) is a random element in [Gi] — the equivalence class of Gi Hence, G0 ≡ G1: Pr[b′ = b] ≤ 1

2.

IP for GNI

Proving Claim 5 Graph isomorphism is an equivalence relation (separates the set of all graph pairs into separate subsets) ([m], π(Ei)) is a random element in [Gi] — the equivalence class of Gi Hence, G0 ≡ G1: Pr[b′ = b] ≤ 1

2.

G0 ≡ G1: Pr[b′ = b] = 1 (i.e., i can, possibly inefficiently, extracted from π(Ei))

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Part II Zero knowledge Proofs

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

The concept of zero knowledge Proving w/o revealing any addition information.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

The concept of zero knowledge Proving w/o revealing any addition information. What does it mean?

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

The concept of zero knowledge Proving w/o revealing any addition information. What does it mean? Simulation paradigm.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Zero knowledge Proof Definition 6 (computational ZK) An interactive proof (P, V) is computational zero-knowledge proof (CZKP) for L, if ∀ PPT V∗, ∃ PPT S such that {(P, V∗)(x)}x∈L ≈c {S(x)}x∈L.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Zero knowledge Proof Definition 6 (computational ZK) An interactive proof (P, V) is computational zero-knowledge proof (CZKP) for L, if ∀ PPT V∗, ∃ PPT S such that {(P, V∗)(x)}x∈L ≈c {S(x)}x∈L. Perfect ZK (PZKP)/statistical ZK (SZKP) – the above dist. are identicallly/statistically close, even for unbounded V∗.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Zero knowledge Proof Definition 6 (computational ZK) An interactive proof (P, V) is computational zero-knowledge proof (CZKP) for L, if ∀ PPT V∗, ∃ PPT S such that {(P, V∗)(x)}x∈L ≈c {S(x)}x∈L. Perfect ZK (PZKP)/statistical ZK (SZKP) – the above dist. are identicallly/statistically close, even for unbounded V∗.

1

ZK is a property of the prover.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Zero knowledge Proof Definition 6 (computational ZK) An interactive proof (P, V) is computational zero-knowledge proof (CZKP) for L, if ∀ PPT V∗, ∃ PPT S such that {(P, V∗)(x)}x∈L ≈c {S(x)}x∈L. Perfect ZK (PZKP)/statistical ZK (SZKP) – the above dist. are identicallly/statistically close, even for unbounded V∗.

1

ZK is a property of the prover.

2

ZK only required to hold with respect to true statements.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Zero knowledge Proof Definition 6 (computational ZK) An interactive proof (P, V) is computational zero-knowledge proof (CZKP) for L, if ∀ PPT V∗, ∃ PPT S such that {(P, V∗)(x)}x∈L ≈c {S(x)}x∈L. Perfect ZK (PZKP)/statistical ZK (SZKP) – the above dist. are identicallly/statistically close, even for unbounded V∗.

1

ZK is a property of the prover.

2

ZK only required to hold with respect to true statements.

3

• wlg. V∗’s outputs is its “view".

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Zero knowledge Proof Definition 6 (computational ZK) An interactive proof (P, V) is computational zero-knowledge proof (CZKP) for L, if ∀ PPT V∗, ∃ PPT S such that {(P, V∗)(x)}x∈L ≈c {S(x)}x∈L. Perfect ZK (PZKP)/statistical ZK (SZKP) – the above dist. are identicallly/statistically close, even for unbounded V∗.

1

ZK is a property of the prover.

2

ZK only required to hold with respect to true statements.

3

• wlg. V∗’s outputs is its “view".

4

Trivial to achieve for L ∈ BPP

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Zero knowledge Proof Definition 6 (computational ZK) An interactive proof (P, V) is computational zero-knowledge proof (CZKP) for L, if ∀ PPT V∗, ∃ PPT S such that {(P, V∗)(x)}x∈L ≈c {S(x)}x∈L. Perfect ZK (PZKP)/statistical ZK (SZKP) – the above dist. are identicallly/statistically close, even for unbounded V∗.

1

ZK is a property of the prover.

2

ZK only required to hold with respect to true statements.

3

• wlg. V∗’s outputs is its “view".

4

Trivial to achieve for L ∈ BPP

5

Extension: auxiliary input

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Zero knowledge Proof Definition 6 (computational ZK) An interactive proof (P, V) is computational zero-knowledge proof (CZKP) for L, if ∀ PPT V∗, ∃ PPT S such that {(P, V∗)(x)}x∈L ≈c {S(x)}x∈L. Perfect ZK (PZKP)/statistical ZK (SZKP) – the above dist. are identicallly/statistically close, even for unbounded V∗.

1

ZK is a property of the prover.

2

ZK only required to hold with respect to true statements.

3

• wlg. V∗’s outputs is its “view".

4

Trivial to achieve for L ∈ BPP

5

Extension: auxiliary input

6

The “standard" NP proof is typically not zero knowledge

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Zero knowledge Proof Definition 6 (computational ZK) An interactive proof (P, V) is computational zero-knowledge proof (CZKP) for L, if ∀ PPT V∗, ∃ PPT S such that {(P, V∗)(x)}x∈L ≈c {S(x)}x∈L. Perfect ZK (PZKP)/statistical ZK (SZKP) – the above dist. are identicallly/statistically close, even for unbounded V∗.

1

ZK is a property of the prover.

2

ZK only required to hold with respect to true statements.

3

• wlg. V∗’s outputs is its “view".

4

Trivial to achieve for L ∈ BPP

5

Extension: auxiliary input

6

The “standard" NP proof is typically not zero knowledge

7

Next class — ZK for all NP

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Section 2 ZK Proof for GI

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

ZK Proof for Graph Isomorphism Idea: route finding

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

ZK Proof for Graph Isomorphism Idea: route finding Protocol 7 ((P, V)) Common input x = (G0 = ([m], E0), G1 = ([m], E1)) P’s input a permutation π such that π(E1) = E0

1

P chooses π′ ← Πm and sends E = π′(E0) to V

2

V sends b ← {0, 1} to P

3

if b = 0, P sets π′′ = π′, otherwise, it sends π′′ = π′ ◦ π to V

4

V accepts iff π′′(Eb) = E

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

ZK Proof for Graph Isomorphism Idea: route finding Protocol 7 ((P, V)) Common input x = (G0 = ([m], E0), G1 = ([m], E1)) P’s input a permutation π such that π(E1) = E0

1

P chooses π′ ← Πm and sends E = π′(E0) to V

2

V sends b ← {0, 1} to P

3

if b = 0, P sets π′′ = π′, otherwise, it sends π′′ = π′ ◦ π to V

4

V accepts iff π′′(Eb) = E Claim 8 The above protocol is SZKP for GI, with perfect completeness and soundness 1

2.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 8 Completeness Clear

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 8 Completeness Clear Soundness If exist j ∈ {0, 1} for which ∄π′ ∈ Πm with π′(Ej) = E, then V rejects w.p. at least 1

2.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 8 Completeness Clear Soundness If exist j ∈ {0, 1} for which ∄π′ ∈ Πm with π′(Ej) = E, then V rejects w.p. at least 1

2.

Assuming V rejects w.p. less than 1

2 and lett π0

and π1 be the values guaranteed by the above

• bservation (i.e., mapping E0 and E1 to E

respectively).

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 8 Completeness Clear Soundness If exist j ∈ {0, 1} for which ∄π′ ∈ Πm with π′(Ej) = E, then V rejects w.p. at least 1

2.

Assuming V rejects w.p. less than 1

2 and lett π0

and π1 be the values guaranteed by the above

• bservation (i.e., mapping E0 and E1 to E

respectively). Then π−1

0 (π1(E1)) = π0

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 8 Completeness Clear Soundness If exist j ∈ {0, 1} for which ∄π′ ∈ Πm with π′(Ej) = E, then V rejects w.p. at least 1

2.

Assuming V rejects w.p. less than 1

2 and lett π0

and π1 be the values guaranteed by the above

• bservation (i.e., mapping E0 and E1 to E

respectively). Then π−1

0 (π1(E1)) = π0 =

⇒ (G0, G1) ∈ GI.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 8 Completeness Clear Soundness If exist j ∈ {0, 1} for which ∄π′ ∈ Πm with π′(Ej) = E, then V rejects w.p. at least 1

2.

Assuming V rejects w.p. less than 1

2 and lett π0

and π1 be the values guaranteed by the above

• bservation (i.e., mapping E0 and E1 to E

respectively). Then π−1

0 (π1(E1)) = π0 =

⇒ (G0, G1) ∈ GI. ZK Idea: for (G0, G1) ∈ GI, it is easy to generate a random transcript for Steps 1-2, and to be able to

• pen it with prob 1

2.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

The simulator For a start we consider a deterministic cheating verifier V∗ that never aborts.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

The simulator For a start we consider a deterministic cheating verifier V∗ that never aborts. Algorithm 9 (S) Input: x = (G0 = ([m], E0), G1 = ([m], E1)) Do |x| times:

1

Choose b′ ← {0, 1} and π ← Πm, and “send" π(Eb′) to V∗(x).

2

Let b be V∗’s answer. If b = b′, send π to V∗, output V∗’s

• utput and halt.

Otherwise, rewind the simulation to its first step. Abort

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

The simulator For a start we consider a deterministic cheating verifier V∗ that never aborts. Algorithm 9 (S) Input: x = (G0 = ([m], E0), G1 = ([m], E1)) Do |x| times:

1

Choose b′ ← {0, 1} and π ← Πm, and “send" π(Eb′) to V∗(x).

2

Let b be V∗’s answer. If b = b′, send π to V∗, output V∗’s

• utput and halt.

Otherwise, rewind the simulation to its first step. Abort Claim 10 {(P, V∗)(x)}x∈GI ≈ {S(x)}x∈GI

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 10 Algorithm 11 (S′) Input: x = (G0 = ([m], E0), G1 = ([m], E1)) Do |x| times:

1

Choose π ← Πm and sends E = π(E0) to V∗(x).

2

Let b be V∗’s answer. W.p. 1

2, find π′ such that E = π′(Eb) and send it to V∗,

• utput V∗’s output and halt.

Otherwise, rewind the simulation to its first step. Abort

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 10 Algorithm 11 (S′) Input: x = (G0 = ([m], E0), G1 = ([m], E1)) Do |x| times:

1

Choose π ← Πm and sends E = π(E0) to V∗(x).

2

Let b be V∗’s answer. W.p. 1

2, find π′ such that E = π′(Eb) and send it to V∗,

• utput V∗’s output and halt.

Otherwise, rewind the simulation to its first step. Abort Claim 12 S(x) ≡ S′(x) for any x ∈ GI.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 10 Algorithm 11 (S′) Input: x = (G0 = ([m], E0), G1 = ([m], E1)) Do |x| times:

1

Choose π ← Πm and sends E = π(E0) to V∗(x).

2

Let b be V∗’s answer. W.p. 1

2, find π′ such that E = π′(Eb) and send it to V∗,

• utput V∗’s output and halt.

Otherwise, rewind the simulation to its first step. Abort Claim 12 S(x) ≡ S′(x) for any x ∈ GI. Proof: ?

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 10 cont. Algorithm 13 (S′′) Input: x = (G0 = ([m], E0), G1 = ([m], E1))

1

Choose π ← Πm and sends E = π(E0) to V∗(x).

2

Find π′ such that E = π′(Eb), send it to V∗, output V∗’s

• utput and halt.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 10 cont. Algorithm 13 (S′′) Input: x = (G0 = ([m], E0), G1 = ([m], E1))

1

Choose π ← Πm and sends E = π(E0) to V∗(x).

2

Find π′ such that E = π′(Eb), send it to V∗, output V∗’s

• utput and halt.

Claim 14 ∀x ∈ GI it holds that

1

(P, V∗(x)) ≡ S′′(x).

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 10 cont. Algorithm 13 (S′′) Input: x = (G0 = ([m], E0), G1 = ([m], E1))

1

Choose π ← Πm and sends E = π(E0) to V∗(x).

2

Find π′ such that E = π′(Eb), send it to V∗, output V∗’s

• utput and halt.

Claim 14 ∀x ∈ GI it holds that

1

(P, V∗(x)) ≡ S′′(x).

2

SD(S′′(x), S′(x)) ≤ 2−|x|.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 10 cont. Algorithm 13 (S′′) Input: x = (G0 = ([m], E0), G1 = ([m], E1))

1

Choose π ← Πm and sends E = π(E0) to V∗(x).

2

Find π′ such that E = π′(Eb), send it to V∗, output V∗’s

• utput and halt.

Claim 14 ∀x ∈ GI it holds that

1

(P, V∗(x)) ≡ S′′(x).

2

SD(S′′(x), S′(x)) ≤ 2−|x|. Proof: ?

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 10 cont. Algorithm 13 (S′′) Input: x = (G0 = ([m], E0), G1 = ([m], E1))

1

Choose π ← Πm and sends E = π(E0) to V∗(x).

2

Find π′ such that E = π′(Eb), send it to V∗, output V∗’s

• utput and halt.

Claim 14 ∀x ∈ GI it holds that

1

(P, V∗(x)) ≡ S′′(x).

2

SD(S′′(x), S′(x)) ≤ 2−|x|. Proof: ? (1) is clear.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 14(2) Fix (E, π′) and let α = PrS′′[(E, π′)].

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 14(2) Fix (E, π′) and let α = PrS′′[(E, π′)]. It holds that PrS′[(E, π′)] = α ·

|x|

• i=1

(1 − 1 2)i−1 · 1 2 = (1 − 2−|x|) · α

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Proving Claim 14(2) Fix (E, π′) and let α = PrS′′[(E, π′)]. It holds that PrS′[(E, π′)] = α ·

|x|

• i=1

(1 − 1 2)i−1 · 1 2 = (1 − 2−|x|) · α Hence, SD(S′′(x), S′(x)) ≤ 2−|x|

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Remarks

1

Randomized verifiers

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Remarks

1

Randomized verifiers

2

Aborting verifiers

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Remarks

1

Randomized verifiers

2

Aborting verifiers – Normalize aborting probability

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Remarks

1

Randomized verifiers

2

Aborting verifiers – Normalize aborting probability

3

Auxiliary input

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Remarks

1

Randomized verifiers

2

Aborting verifiers – Normalize aborting probability

3

Auxiliary input

4

Negligible soundness error?

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Remarks

1

Randomized verifiers

2

Aborting verifiers – Normalize aborting probability

3

Auxiliary input

4

Negligible soundness error? Sequentiall/Parallel composition

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Remarks

1

Randomized verifiers

2

Aborting verifiers – Normalize aborting probability

3

Auxiliary input

4

Negligible soundness error? Sequentiall/Parallel composition

5

Perfect ZK for “expected time simulators"

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Remarks

1

Randomized verifiers

2

Aborting verifiers – Normalize aborting probability

3

Auxiliary input

4

Negligible soundness error? Sequentiall/Parallel composition

5

Perfect ZK for “expected time simulators"

6

“Black box" simulation

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Section 3 Black-box ZK

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Black-box simulators Definition 15 (Black-box simulator) (P, V) is CZKP with black-box simulation for L, if ∃ oracle-aided

PPT S s.t. for every deterministic polynomial-timea V∗:

{(P(wx), V∗(z))(x)}x∈L ≈c {SV∗(x,zx)(x)}x∈L for any {(wx, zx) ∈ RL(x) × {0, 1}∗}x∈L.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Black-box simulators Definition 15 (Black-box simulator) (P, V) is CZKP with black-box simulation for L, if ∃ oracle-aided

PPT S s.t. for every deterministic polynomial-timea V∗:

{(P(wx), V∗(z))(x)}x∈L ≈c {SV∗(x,zx)(x)}x∈L for any {(wx, zx) ∈ RL(x) × {0, 1}∗}x∈L. Prefect and statistical variants are defined analogously.

aLength of auxiliary input does not count for the running time.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Black-box simulators Definition 15 (Black-box simulator) (P, V) is CZKP with black-box simulation for L, if ∃ oracle-aided

PPT S s.t. for every deterministic polynomial-timea V∗:

{(P(wx), V∗(z))(x)}x∈L ≈c {SV∗(x,zx)(x)}x∈L for any {(wx, zx) ∈ RL(x) × {0, 1}∗}x∈L. Prefect and statistical variants are defined analogously.

aLength of auxiliary input does not count for the running time. 1

“Most simulators" are black box

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Black-box simulators Definition 15 (Black-box simulator) (P, V) is CZKP with black-box simulation for L, if ∃ oracle-aided

PPT S s.t. for every deterministic polynomial-timea V∗:

{(P(wx), V∗(z))(x)}x∈L ≈c {SV∗(x,zx)(x)}x∈L for any {(wx, zx) ∈ RL(x) × {0, 1}∗}x∈L. Prefect and statistical variants are defined analogously.

aLength of auxiliary input does not count for the running time. 1

“Most simulators" are black box

2

Strictly weaker then general simulation!

ZK Proof for GI Black-box ZK Zero Knowledge for all NP

Section 4 Zero Knowledge for all NP

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

CZKP for 3COL Assuming that OWFs exists, we give a CZKP for 3COL . We show how to transform it for any L ∈ NP (using that 3COL ∈ NPC).

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

CZKP for 3COL Assuming that OWFs exists, we give a CZKP for 3COL . We show how to transform it for any L ∈ NP (using that 3COL ∈ NPC). Definition 16 (3COL) G = (M, E) ∈ 3COL, if ∃ φ: M → [3] s.t. φ(u) = φ(v) for every (u, v) ∈ E.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

CZKP for 3COL Assuming that OWFs exists, we give a CZKP for 3COL . We show how to transform it for any L ∈ NP (using that 3COL ∈ NPC). Definition 16 (3COL) G = (M, E) ∈ 3COL, if ∃ φ: M → [3] s.t. φ(u) = φ(v) for every (u, v) ∈ E. We use commitment schemes.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

The protocol Let π3 be the set of all permutations over [3].

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

The protocol Let π3 be the set of all permutations over [3]. We use perfectly binding commitment Com (statistically binding?).

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

The protocol Let π3 be the set of all permutations over [3]. We use perfectly binding commitment Com (statistically binding?). Protocol 17 ((P, V)) Common input: Graph G = (M, E) with n = |G| P’s input: a (valid) coloring φ of G

1

P chooses π ← Π3 and sets ψ = π ◦ φ

2

∀v ∈ M: P commits to ψ(v) using Com(1n). Let cv and dv be the resulting commitment and decommitment.

3

V sends e = (u, v) ← E to P

4

P sends (du, ψ(u)), (dv, ψ(v)) to V

5

V verifies that (1) both decommitments are valid, (2) ψ(u), ψ(v) ∈ [3] and (3) ψ(u) = ψ(v).

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Claim 18 The above protocol is a CZKP for 3COL, with perfect completeness and soundness 1/ |E|.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Claim 18 The above protocol is a CZKP for 3COL, with perfect completeness and soundness 1/ |E|. Completeness: Clear Soundness: Let {cv}v∈M be the commitments resulting from an interaction of V with an arbitrary P∗.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Claim 18 The above protocol is a CZKP for 3COL, with perfect completeness and soundness 1/ |E|. Completeness: Clear Soundness: Let {cv}v∈M be the commitments resulting from an interaction of V with an arbitrary P∗. Define φ: M → [3] as follows: ∀v ∈ M: let φ(v) be the (single) value that it is possible to decommit cv into (if not in [3], set φ(v) = 1).

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Claim 18 The above protocol is a CZKP for 3COL, with perfect completeness and soundness 1/ |E|. Completeness: Clear Soundness: Let {cv}v∈M be the commitments resulting from an interaction of V with an arbitrary P∗. Define φ: M → [3] as follows: ∀v ∈ M: let φ(v) be the (single) value that it is possible to decommit cv into (if not in [3], set φ(v) = 1). If G / ∈ 3COL, then ∃(u, v) ∈ E s.t. ψ(u) = ψ(v).

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Claim 18 The above protocol is a CZKP for 3COL, with perfect completeness and soundness 1/ |E|. Completeness: Clear Soundness: Let {cv}v∈M be the commitments resulting from an interaction of V with an arbitrary P∗. Define φ: M → [3] as follows: ∀v ∈ M: let φ(v) be the (single) value that it is possible to decommit cv into (if not in [3], set φ(v) = 1). If G / ∈ 3COL, then ∃(u, v) ∈ E s.t. ψ(u) = ψ(v). Hence V rejects such x w.p. a least 1/ |E|

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Proving ZK Fix a deterministic, non-aborting V∗ that gets no auxiliary input.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Proving ZK Fix a deterministic, non-aborting V∗ that gets no auxiliary input. Algorithm 19 (S) Input: A graph G = (M, E) with n = |G| Do n · |E| times:

1

Choose e′ = (u, v) ← E. Set ψ(u) ← [3], ψ(v) ← [3] \ {ψ(u)}, and ψ(w) = 1 for w ∈ M \ {u, v}

2

∀v ∈ M: commit to ψ(v) to V∗ (resulting in cv and dv)

3

Let e be the edge sent by V∗. If e = e′, send (du, ψ(u)), (dv, ψ(v)) to V∗, output V∗’s

• utput and halt.

Otherwise, rewind the simulation to its first step. Abort

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Proving ZK cont. Claim 20 {(P(wx), V∗)(x)}x∈3COL ≈c {SV∗(x)(x)}x∈3COL, for any {wx ∈ R3COL(x)}x∈3COL.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Consider the following (inefficient simulator) Algorithm 21 (S′) Input: G = (V, E) with n = |G| Find (using brute force) a valid coloring φ of G Do n · |E| times

1

Act as the honest prover does given private input φ

2

Let e be the edge sent by V∗. W.p. 1/ |E|, S′ sends (ψ(u), du), (ψ(v), dv) to V∗, output V∗’s output and halt. Otherwise, rewind the simulation to its first step. Abort

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Consider the following (inefficient simulator) Algorithm 21 (S′) Input: G = (V, E) with n = |G| Find (using brute force) a valid coloring φ of G Do n · |E| times

1

Act as the honest prover does given private input φ

2

Let e be the edge sent by V∗. W.p. 1/ |E|, S′ sends (ψ(u), du), (ψ(v), dv) to V∗, output V∗’s output and halt. Otherwise, rewind the simulation to its first step. Abort Claim 22 {SV∗(x)(x)}x∈3COL ≈c {S′V∗(x)(x)}x∈3COL

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Consider the following (inefficient simulator) Algorithm 21 (S′) Input: G = (V, E) with n = |G| Find (using brute force) a valid coloring φ of G Do n · |E| times

1

Act as the honest prover does given private input φ

2

Let e be the edge sent by V∗. W.p. 1/ |E|, S′ sends (ψ(u), du), (ψ(v), dv) to V∗, output V∗’s output and halt. Otherwise, rewind the simulation to its first step. Abort Claim 22 {SV∗(x)(x)}x∈3COL ≈c {S′V∗(x)(x)}x∈3COL Proof: ?

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Proving Claim 22 Assume ∃ PPT D, p ∈ poly and an infinite set I ⊆ 3COL s.t.

• Pr[D(|x| , SV∗(x)(x)) = 1] − Pr[D(|x| , S′V∗(x)(x)) = 1]
• ≥ 1/p(|x|)

for all x ∈ I.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Proving Claim 22 Assume ∃ PPT D, p ∈ poly and an infinite set I ⊆ 3COL s.t.

• Pr[D(|x| , SV∗(x)(x)) = 1] − Pr[D(|x| , S′V∗(x)(x)) = 1]
• ≥ 1/p(|x|)

for all x ∈ I. Hence, ∃ PPT R∗ and b = b′ ∈ [3] such that {ViewR∗(S(b), R∗(x))(1|x|)}x∈I ≈c {ViewR∗(S(b′), R∗(x))(1|x|)}x∈I where S is the sender in Com.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

Proving Claim 22 Assume ∃ PPT D, p ∈ poly and an infinite set I ⊆ 3COL s.t.

• Pr[D(|x| , SV∗(x)(x)) = 1] − Pr[D(|x| , S′V∗(x)(x)) = 1]
• ≥ 1/p(|x|)

for all x ∈ I. Hence, ∃ PPT R∗ and b = b′ ∈ [3] such that {ViewR∗(S(b), R∗(x))(1|x|)}x∈I ≈c {ViewR∗(S(b′), R∗(x))(1|x|)}x∈I where S is the sender in Com. We critically used the non-uniform security of Com

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

S′ is a good simulator Claim 23 {(P(wx), V∗)(x)}x∈3COL ≈c {S′V∗(x)(x)}x∈3COL, for any {wx ∈ RGI(x)}x∈3COL.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP CZKP for 3COL

S′ is a good simulator Claim 23 {(P(wx), V∗)(x)}x∈3COL ≈c {S′V∗(x)(x)}x∈3COL, for any {wx ∈ RGI(x)}x∈3COL. Proof: ?

ZK Proof for GI Black-box ZK Zero Knowledge for all NP Remarks

Remarks Aborting verifiers Auxiliary inputs Soundness amplification

ZK Proof for GI Black-box ZK Zero Knowledge for all NP Remarks

Remarks Aborting verifiers Auxiliary inputs Soundness amplification Non-uniform hiding guarantee

ZK Proof for GI Black-box ZK Zero Knowledge for all NP Extending to NP

Extending to all L ∈ NP Let (P, V) be a CZKP for 3COL, and let MapX and MapW be two poly-time functions s.t. ∀x ∈ {0, 1}∗: x ∈ L ← → MapX(x) ∈ 3COL, ∀x ∈ L and w ∈ RL(x): MapW(x, w) ∈ R3COL(MapX(x))

ZK Proof for GI Black-box ZK Zero Knowledge for all NP Extending to NP

Extending to all L ∈ NP Let (P, V) be a CZKP for 3COL, and let MapX and MapW be two poly-time functions s.t. ∀x ∈ {0, 1}∗: x ∈ L ← → MapX(x) ∈ 3COL, ∀x ∈ L and w ∈ RL(x): MapW(x, w) ∈ R3COL(MapX(x)) Protocol 24 ((PL, VL)) Common input: x ∈ {0, 1}∗ PL’s input: w ∈ RL(x)

1

The two parties interact in (P(MapW(x, w)), V)(MapX(x)), where PL and VL taking the role of P and V respectively.

2

VL accepts iff V accepts in the above execution.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP Extending to NP

Extending to all L ∈ NP cont. Claim 25 (PL, VL) is a CZKP for L with the same completeness and soundness as (P, V) as for 3COL.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP Extending to NP

Extending to all L ∈ NP cont. Claim 25 (PL, VL) is a CZKP for L with the same completeness and soundness as (P, V) as for 3COL. Completeness and soundness: Clear.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP Extending to NP

Extending to all L ∈ NP cont. Claim 25 (PL, VL) is a CZKP for L with the same completeness and soundness as (P, V) as for 3COL. Completeness and soundness: Clear. Zero knowledge: Let S (an efficient) ZK simulator for (P, V) (for 3COL). Define SL(x) to output S(MapX(x)), while replacing the string MapX(x) in the output of S with x.

ZK Proof for GI Black-box ZK Zero Knowledge for all NP Extending to NP

Extending to all L ∈ NP cont. Claim 25 (PL, VL) is a CZKP for L with the same completeness and soundness as (P, V) as for 3COL. Completeness and soundness: Clear. Zero knowledge: Let S (an efficient) ZK simulator for (P, V) (for 3COL). Define SL(x) to output S(MapX(x)), while replacing the string MapX(x) in the output of S with x. {(P(wx), V∗)(x)}x∈L ≈c {SV∗(x)

L

(x)}x∈L for some V∗

L,

implies {(P(MapW(x, wx)), V∗)(x)}x∈3COL ≈c {SV∗(x)(x)}x∈3COL, V∗(x): find x−1 = Map−1

X (x) and act like V∗ L(x−1)